[OAUTH-WG] Federated Authentication for RDAP
"Hollenbeck, Scott" <shollenbeck@verisign.com> Mon, 23 March 2015 20:44 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EEAE1B29F0 for <oauth@ietfa.amsl.com>; Mon, 23 Mar 2015 13:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1FB88UP1YEB for <oauth@ietfa.amsl.com>; Mon, 23 Mar 2015 13:44:18 -0700 (PDT)
Received: from mail-qg0-f99.google.com (mail-qg0-f99.google.com [209.85.192.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D57D21B2A05 for <OAuth@ietf.org>; Mon, 23 Mar 2015 13:44:17 -0700 (PDT)
Received: by qgdq107 with SMTP id q107so4812437qgd.2 for <OAuth@ietf.org>; Mon, 23 Mar 2015 13:44:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:content-type :content-transfer-encoding:mime-version; bh=AmQXhezyOil47TQ05EuYqZNpYWVCx0GkE0N85j6AkNk=; b=Ty9q866oA4GttqJT1e/+gvBYYuymz1zA5vn5P4tlV8r+ce+3n6fSE4/+KlZiokqA6l goxYoTL9bkwvPaOruMGgTzjuFGIJeay4XjDczaOTeBI9YFa9F7Iq05vOatVmhjZGHRI0 6uRZxhZpAbe4UnzkTuMgoN75J9+Y2SGN0smKY5GIYJ1MVRRQhnRuW7ne9hGcwb9arpgR bRqYZ7+E83mVpwYGlqdXbahEjaL/f3GJQqbApl38VROUFw0ss6ux8yx88InmknlyZpHE ggnMjRVFBvCZVIogNpbMh2upiZk9h8YGjpDu3bYG0zaiBTHdU05KiUrWRoWJSk4qAOfS S7dw==
X-Gm-Message-State: ALoCoQkWoHErenIOxO4NYXDhIUbqHxoySgCMjMsgEtWY4SE5M8s1ecBb8bFmOlhSWzYEgGucjzTtm1QCAooJPS5q7VSZJbgUAg==
X-Received: by 10.43.38.144 with SMTP id ti16mr21877419icb.26.1427143457155; Mon, 23 Mar 2015 13:44:17 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by mx.google.com with ESMTPS id k1sm466531ige.0.2015.03.23.13.44.16 for <OAuth@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 23 Mar 2015 13:44:17 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id t2NKiGdu017734 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <OAuth@ietf.org>; Mon, 23 Mar 2015 16:44:16 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Mon, 23 Mar 2015 16:44:16 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "OAuth@ietf.org" <OAuth@ietf.org>
Thread-Topic: Federated Authentication for RDAP
Thread-Index: AdBlqh91tPNa5rKhRa+xxzcblJ8Kcg==
Date: Mon, 23 Mar 2015 20:44:15 +0000
Message-ID: <831693C2CDA2E849A7D7A712B24E257F49F8A017@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HvSffSYGV9q7qWdSrAwe4NAYbW0>
Subject: [OAUTH-WG] Federated Authentication for RDAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 20:44:19 -0000
I was going to ask this question during the just-concluded WG session at IETF-92, but with a full agenda and little time I thought it might be better to ask this question on-list. The Registration Data Access Protocol (RDAP, a work product of the WEIRDS WG) uses a RESTful web service to access data associated with things like domain names and IP address blocks. It's intended to be a replacement for the aged WHOIS protocol. I co-authored a security services document for RDAP that describes how a federated authentication system can address an operational need for client identification, authentication, and authorization, but that document doesn't specify any particular solution or how it can actually be deployed. In the near future implementers will be standing up services and I'd like explore some workable options. So, I'm looking for advice from people who know more about federated authentication systems than I do. RDAP clients will be the same type of people who use WHOIS today. Servers will need to be able to identify and authenticate clients and grant appropriate privileges based on their identity and purpose. What kind of federation could be deployed today to meet these needs? Which protocol(s) will do the job and be brain-dead simple for human end users? Scott
- [OAUTH-WG] Federated Authentication for RDAP Hollenbeck, Scott